Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#68063 - [security][python2] backport 3 security fixes - courtesy of Gentoo and Fedora backporting efforts

Attached to Project: Arch Linux
Opened by Siegfried Metz (NiceGuy) - Thursday, 01 October 2020, 01:53 GMT
Last edited by freswa (frederik) - Thursday, 01 October 2020, 02:01 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned
Assigned To Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

Description:

Security fixes for Python 2.7: [1]:
*) CVE-2019-20907 (python2: python: infinite loop in the tarfile module via crafted TAR archive),
*) CVE-2020-8492 (python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS),
*) CVE-2020-26116 (python27: python: CRLF injection via HTTP request method in httplib/http.client)

Python 2 is already end of life and does not receive any further updates or security updates officially any more. As EOL is a matter of fact, all GNU/Linux Distributions, BSDs, other OSes are still vulnerable to Python2's found vulnerabilites with no upstream backporting effort.

There is, however, at least one highly active Gentoo developer in the name of Michał Górny (which I hope he isn't offended by using his name and blog post here), who made sure certain security vulnerabilites effecting Python3 also got backported to Python2, which he described in his blog post [2], which I got aware of.
He also made sure Pypy{2,3} 7.3.2 got security fixes applied, so it's his effort I want to congratulate and thank.

Basically, Gentoo [3] and Fedora backported CVE-2019-20907 (infinite loop in tarfile), CVE-2020-8492 (ReDoS in basic HTTP auth handling) and bpo-39603 (header injection via HTTP method). Mostly because the patch from Python 3 applied cleanly to Python 2.7.


That makes Gentoo and Fedora the first distributions to backport security fixes to Python 2, although EOL'ed.

Arch should follow suit and apply those backports and security fixes. Yes, those backports are unofficial and initially only for Python3 and I am aware that Arch follows the rule to prefer "vanilla" packages. In this special case, however, there is no more upstream effort to begin with.

Even, maybe, a lot of us 'Archers' got rid of Python2 (via sudo pacman -Rscn python2, for instance), we are all stuck for a longer period than we all want with Python2 in the form of still used Python2 MAKEDEPENDS in a lot of packages. Even though Python2 is no more installed, certain Arch officially built packages with Python2 MAKEDEPENDS make use all vulnerable, if no backports are applied.

We all want to get rid of Python2 by now, but the truth is we are not there yet. None of the GNU/Linux distributions are. So at least we should apply a few selected security fixes to Python2 to make it less vulnerable, until the time we surely sunset all of the Python2 packages for good (hopefully in the not so distant future).


[1]:
Bug 1856485 - CVE-2019-20907 python2: python: Avoid infinite loop when reading specially crafted TAR files
https://bugzilla.redhat.com/show_bug.cgi?id=1856485
https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9251de272

Bug 1809065 - CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS
https://bugzilla.redhat.com/show_bug.cgi?id=1809065

Bug 1883244 - CVE-2020-26116 python27: python: CRLF injection via HTTP request method in httplib/http.client
https://bugzilla.redhat.com/show_bug.cgi?id=1883244

[2]: https://blogs.gentoo.org/mgorny/2020/09/12/new-vulnerability-fixes-in-python-2-7-and-pypy/
[3]: https://dev.gentoo.org/~mgorny/dist/python/python-gentoo-patches-2.7.18-r3.tar.xz

3 patches inside python-gentoo-patches-2.7.18-r3.xz:
0017-bpo-39017-Avoid-infinite-loop-in-the-tarfile-module-.patch
0018-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
0019-bpo-39603-Prevent-header-injection-in-http-methods-G.patch

Additional info:
* >=python-2.7.18-2

Steps to reproduce:
Apply the 3 security patches by Gentoo/Fedora on top of Python2 and be a bit more "safer" by those backports.
This task depends upon

Loading...